I am trying to restrict access to the built in function logout session to specific user roles.
I am testing with a user that should be restricted from using the command due to the NACM rules.
The user id is:
MDS1-ESUA# id
user = bolt-standard(1004), gid=5000, groups=standard, gids=5000
I have this rule to block the command
non-admin-override-rules
maintenancexxx
readonlyxxx
standardxxx
tailf-aaa-authentication
tailf-aaa
/aaa/authentication/users/user[name=‘$USER’]
read
permit
tailf-aaa-user
tailf-aaa
/user[name=‘$USER’]
read
permit
aaa
/aaa
create read update delete exec
deny
deny-logout-session
/system/logout
create read update delete exec
deny
</rule-list>
I have turned on the confd developer log to the trace level. This user is able to execute the command with no restrictions. I don’t know why.
MDS1-ESUA# logout session ?
Possible completions:
27 admin@127.0.0.1 maapi 13:40:31
28 admin@127.0.0.1 maapi 13:40:31
32 bolt-standard@10.99.99.110 cli 13:43:19 (*)
34 admin@10.99.99.110 cli 13:44:31
MDS1-ESUA# logout session 34
MDS1-ESUA#
I am including the full running NACM ruleset for reference here.
show running-config nacm rule-list
nacm rule-list support-rules
group [ support ]
rule support-all-rule
module-name *
access-operations *
action permit
context *
!
!
nacm rule-list global-rules
group [ none ]
rule global-ont-rule
module-name *
path /tolt/ont/config
access-operations create,delete
action deny
context *
!
rule global-uni-rule
module-name *
path /tolt/interfaces/uni/config
access-operations create,delete
action deny
context *
!
rule global-net-rule
module-name *
path /tolt/interfaces/net/config
access-operations create,delete
action deny
context *
!
rule global-nni-rule
module-name *
path /tolt/interfaces/nni/config
access-operations create,delete
action deny
context *
!
rule global-user-rule
module-name *
path /aaa/authentication/users
access-operations *
action deny
context *
!
rule global-cpu-interface-rule
module-name *
path /tolt/interfaces/nni/config[aid=‘OLT1-1’]
access-operations *
action deny
context *
!
!
nacm rule-list admin-rules
group [ admin ]
rule admin-all-rule
module-name *
access-operations *
action permit
context *
!
!
nacm rule-list support-override-rules
group [ supportxxx ]
rule support-all-rule
module-name *
access-operations *
action permit
context *
!
!
nacm rule-list admin-override-rules
group [ adminxxx ]
!
nacm rule-list non-admin-override-rules
group [ maintenancexxx readonlyxxx standard standardxxx ]
rule tailf-aaa-authentication
module-name tailf-aaa
path /aaa/authentication/users/user[name=‘$USER’]
access-operations read
action permit
context *
!
rule tailf-aaa-user
module-name tailf-aaa
path /user[name=‘$USER’]
access-operations read
action permit
context *
!
rule aaa
module-name *
path /aaa
access-operations create,read,update,delete,exec
action deny
context *
!
rule deny-logout-session
module-name *
path /logout/session
access-operations create,read,update,delete,exec
action deny
context *
!
!
nacm rule-list readonly-override-rules
group [ readonlyxxx ]
rule only-read
module-name *
access-operations create,update,delete,exec
action deny
context *
!
!
nacm rule-list standard-override-rules
group [ standard standardxxx ]
rule all-tolt-permit
module-name *
path /tolt
access-operations create,read,update,delete,exec
action permit
context *
!
!
nacm rule-list maintenance-override-rules
group [ maintenancexxx ]
rule olt-backup-olt
module-name *
path /tolt/system/backup
access-operations read,exec
action permit
context *
!
rule olt-restore-olt
module-name *
path /tolt/system/restore
access-operations read,exec
action permit
context *
!
rule olt-software
module-name *
path /tolt/system/software
access-operations read,exec
action permit
context *
!
!
nacm rule-list security-override-rules
group [ securityxxx ]
rule deny-any-access
module-name *
access-operations create,read,update,delete,exec
action deny
context *
!
rule aaa-authentication-users
module-name *
path /aaa/authentication/users
access-operations create,read,update,delete
action permit
context *
!
!
MDS1-ESUA#